From fb632f22912fd30df3cdfc4c7c34a2293cafe885 Mon Sep 17 00:00:00 2001
From: Magnus Hagander
Date: Tue, 21 Feb 2023 15:19:01 +0100
Subject: Restrict user search/import to cf admins

All users can still enumerate local users, but the functionality to
search the central database is restricted to admins only.

Reported by Benjamin Flesch
---
 pgcommitfest/commitfest/ajax.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'pgcommitfest/commitfest/ajax.py')

diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py
index c188684..e334c57 100644
--- a/pgcommitfest/commitfest/ajax.py
+++ b/pgcommitfest/commitfest/ajax.py
@@ -223,6 +223,9 @@ def detachThread(request):
 
 
 def searchUsers(request):
+    if not request.user.is_staff:
+        return []
+
     if request.GET.get('s', ''):
         return user_search(request.GET['s'])
     else:
@@ -230,6 +233,9 @@ def searchUsers(request):
 
 
 def importUser(request):
+    if not request.user.is_staff:
+        raise Http404()
+
     if request.GET.get('u', ''):
         u = user_search(userid=request.GET['u'])
         if len(u) != 1:
-- 
cgit v1.2.3